Yes, i think that there is no way to deny a BIND depending on the group and originating IP condition. You can however deny any other access (read/compare/search). Depending on the filter you define for squid/sendmail/php web page (even the simplest objectClass=*) these conditions are equivalent (the ldapsearch will bind but it will always return an empty set)... 2008/5/9 C.S.R.C.Murthy <murthy at barc.gov.in>: > Hi Andrey, > As I first step, according to your suggestion, I have removed the default > ACIs for anonymous and authenticated users. With this I expected that squid > will not be able to BIND to the directory server as the default ACI action > should be DENY in case there is no matching rule. But it is able to > successfully BIND when I give proper login/password. If I am not able to > deny BIND operation when there are no anonymous/authenticated ACI, then I > will never be able to control BIND access, I assume. Please clarify. > > > > regards > murthy > > Andrey Ivanov wrote: > > > Anyway it is better to make the "allow" ACIs, not "deny" ACIs. > > > > As for your problem, here is what the ACIs should look like (supposing > > that your groups are cn=INTERNET,ou=Groups,dc=example,dc=com and > > cn=EMAIL,ou=Groups,dc=example,dc=com, ip adresses of your squid server > > are 192.168.0.66 and 172.16.191.66, adresses of your email servers > > 192.168.1.100 and 192.168.1.101) > > > > Delete all the default ACIs (for anonymous/authentified users) and > > choose the attributes that you want to expose (attr1, attr2...) > > > > For INTERNET group : > > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable > > attributes to read for a certain ip adresses and to authentified > > users";allow (read,search,compare)(((ip="192.168.0.66") or > > (ip="172.16.191.66")) and (groupdn = > > "ldap:///cn=INTERNET,ou=Groups,dc=example,dc=com"));) > > > > > > For EMAIL group : > > aci: (targetattr = "attr1 || attr2")(version 3.0; acl "Enable > > attributes to read for a certain ip adresses and to authentified > > users";allow (read,search,compare)(((ip="192.168.1.100") or > > (ip="192.168.1.101")) and (groupdn = > > "ldap:///cn=EMAIL,ou=Groups,dc=example,dc=com"));) > > > > 2008/5/9 C.S.R.C.Murthy <murthy at barc.gov.in>: > > > > > > > Dear Andrey, > > > I did not make clear one point here. My exact ACI requirement is like > > > this, I need to deny bind operation when the connecting DN belongs to > > > certain group and the request is coming from certain ip address. How to > do > > > it in ACI?. More specifically we have one INTERNET group and one EMAIL > > > group. If a person is in INTERNET group he will be allowed to > authenticate > > > (BIND) only from squid proxy server Simillarly if a person belongs to > EMAIL > > > grooup he will be allowed to authenticate (BIND) only from email server. > We > > > are unable to acheive this type of control using ACI. Please help. > > > > > > regards > > > murthy > > > > > > Andrey Ivanov wrote: > > > > > > > > > > You can do it like this, for example : > > > > > > > > ---------------------------------- > > > > aci: (targetattr = "uniqueMember || uidNumber || gidNumber || > > > > homeDirectory || loginShell || gecos")(version 3.0; acl "Enable > > > > attributes to read for certain ip adresses and to authentified users"; > > > > allow (read,search,compare)(((ip="192.168.0.*") or (ip="172.16.191.* > > > > ") or (ip="192.168.1.15") or (ip="172.16.126.1")) and > > > > (userdn="ldap:///all"));) > > > > ------------------------------------ > > > > Or you can simply use iptables... > > > > > > > > > > > > 2008/5/8 C.S.R.C.Murthy <murthy at barc.gov.in>: > > > > > > > > > > > > > > > > > Hello all, > > > > > Iam using directory server for squid ldap authentication. Squid > takes > > > > > username/password, binds the directory server and if the BIND > operation > > > > > is > > > > > successful it allows the user through proxy. My problem is how to > specify > > > > > an > > > > > ACI so that BIND operation is allowed only from certain IP address?. > ACI > > > > > allows me to restrict READ/SEARCH/WRITE operations but not BIND > > > > > operation.